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Fault detecticn in an indug trial controller durixig safety 
control 



The present invention relates to diagnostics o£ a CPO 
eacecuting instructions £or safety control in the context 
oC an industrial control system./ 



BACXGR0DND ART 

Industrial control systems are tor instance aqpplied in 
manufacturlncr arid process industries « suclx as chemical 
plants, oil production plants, refineries, pulp and paqper 

IS mills, steel mills and automated factories. Industrial 
control systoRs are also widely used within the power 
industry* A standard defining language constructs for an 
ixsdustrial control qrstem is ISC £1131-3, Such an 
industrial control system may comprise or sey be cosabined 

20 with certain devices adding safety features. An exaiqple 

• ■ 

of such a device Is a safety controller. Bacaiqple of 
processes which requires additional safety features other 
than what a standard industrial control system provides 
are processes at off-shore production platforms, certain 

25 process sections at nuclear power plants and hazardous 
areas at chemical plants. Safety features may be used in 
conjunction with safety shutdowur fire and/or alarm 
systems as well as for fire-and-gas detection. The use of 
conplex conouter systems relating to industrial control 

30 systems with added safety features raises challenges in 
the increased need to detect faults in an Industrial 



• ■ 
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One Mcanple of a device in an industrial conbrol system 
which has increased capability o£ fault detection id 
described in 662377814, which concerns a fault tolerant: 
PliC (Programmable Logic Controller) inoliiding a CFU. A 
5 pair o£ first Z/0 modules ax6 connected between a 
positive power bus und a* load. Jl pair of second X/O 
modules are connected between the negative power bus and 
the load. OB 2 277 814 further describes that power to 

■ • 

the load is not disconnected lapon failure of one of the 
10 I/O nodules on either iside of the load. A disadvantage of 
the method is that it does not take in account possible 
failures in the CFIT. 

In general confuting it is known to let a program execute 
15 a test including CFU instructions and conpare the reaulb 
with a predetesendned correct result* This can be done 
once at start-up time or cyclically in runtime. US 6 081 
908 describes a method to store and verify a test code. 
The method concerns test of a one . chip micro-computer 

a 

20 having at least a CPU and a ROU installed in a single 



• • • 



Other known general computing methods to detect faults in 
a CSV utilises a watchdog timer. A timer counter receives 

25 a clocked input pulse of predetermined frequency and the 
count of the timer counter is incremented each time a 
pulse of the clocked input is applied. In the event that 
the count reaches a pre-set maximum count, the timer 
counter generates an output pulse, ^e CP17 is programmed 

30 with a self^test module which cheeks whether the cosgputer 
processor is performing correctly. Periodically, a signal 
derived from the self-test module is supplied by the CPU 
to the reset ixqput to reset the counter. Xf a fault 
occurs in the CFU the reset will not occur and M\m 
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countar will reach its ii»xi»um value , which indicates a 
fault. A disadvantage with such a method is that when a 
fault occurs in the CFD the reset signal be stuck and 
the counter might nevto reach its maximum value despite a 



EP 1 063 591 describes a method for detecting a fault 
condition in a con^uter processor operating a main 
program. The method coinprises the mtmp of sequentially 
performing a plurality of functions on an initial input 
value. A disadvantage with this fault detecticm is that 
it does not describe how to detect faults in a CPU that 
otherwise would occur during execution of an application 
program comprising safety related instructions. 

In prior art a CPU intended for safe^ control may be 
tested by executing' an application program of feline # that 
is before the safety controller i6 used for on-line 
safety control of real world objects, A disadvantage with 

I 

such an approach is that once the CPU is used for on-line 
safety control it is during execution of the application 
program that a possible CPU fault occurs # hence such an 
approach will not detect CPU faults during on-line safety 
control. Another disadvantage is that such an off-line 
teat is not automatically perf ormedi hence the off-line 
test is performed only if a person initiate an off-line 
cast. A more thorough test known in prior art is to run a 
test program off-line ^ich eonggvise all main 
instructions of the CPU. A disadvantage with such a test 
method is that it is nob suitable for on-line test since 
it tcmds to become too CPU consuming. 



fault in the CPU. 
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sinoARY OF TBB Tovmpxasf 

An object o£ the invention is. to provide a method to 
detect a fault in a CPU o£ an industrial controller, 
S which is intended for safety control of real world 

obdeots. The invention enables the detection of a fault 
in the CFD during on-line execution of an application 
program by repeatedly executing a test application » The 
test application comprises a subset of the total number 
10 of the assembler instructions available for the CPU. 

'This and other objects are fulfilled by the present 
invention according to a method described in a claim 1. 
Advantageous embodiments are deacribed in sub<-claiicr«. 



A method based on the invention coirprises a step, where 
the high-level language constructs defined in an 



application. The application program is defined in a high 
20 level language intended for safety control »id is later 
conpiled into assenibler instructions. The method 
coxqprises a step where the test asiplication is compiled 
into assembler instructions where the assraibler 
instructions are a e\d:>Bet of the total number of 

# 

25 instructions available for the CPg. Tiie application 

program as well as the test egpplication is downloaded to 
the industrial controller, Zn the Industrial controller 
the test application is repeatedly executed. Further, a 
result from the test application is cosopared with a pre- 

30 defined result in a test module. The method coii^rise a 
further step where faults in the CVO are detected during 
on-line safeqr control of real world dbjeets where a 
fault in the CPU is detected fay executing the test 
application. 



15 



application program are additionally defined in a test 



15/10/02 12:99 ABB ^TDIT 46 21 181386 * PfifT.UERK.FQre.^ ,^j^pj^^^^^l^ 

5 20C2 -10- 1 5 

* i 

h method based on the invention enables the detection o£ 
a £ault in the CPU which is made evident at the execution 
of a certain asaezAbler instruction coscifprised in the test 
5 application. Bicanples o£ fauXta in the CPU are faiiures 
in the registers of the C9U and failures in memory ench. 
as cache memory. The invention enables the detection o£ a 
CPU fault before the assexiibler instruction is executed fay 
a safety critical application program. An iinportant 
10 a^ect of the invmtion is that the detection of a CFU 

fault at the execution of a certain assentoler instruction 
is made during on-line safety control of real vorld 
objects* Ihe stqps of the method based on the invention 
are not necessarily performed in the order they are 
15 mentioned. 

Xn the context of the invention the term Indus trial 
controller should not limit the scope of the invention, 
and an example of an alternative term is a PLC 
20 (Programmable Xiogical Controller) , 

Yet a further object of the invention is to provide a 
coiiputer program product for use in an industrial control 
system, containing sof bmure code means loadable into the 
2S central unit of an Industrial controller intended for 
safety control of real world objects. VtoB said cdnputer 
program product ccnqpriaes means to make the industrial 
controller ^ecute relevant stape o£ the previously 

: described method, 

» * • 

30 

Yet another bbjeot of the invention is to provide an 
'//^i industrial control system, conqprislng an induatrial 

controller with a central unit equipped with a CPU 
Intended for safety control of real world cdsjects, and an 
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I/O syebam where the CFO is subject to fault detection 
according to above described nietlMd. 

An lavortanb advantage of the invention at Isiahd is that 
5 it provides enhanced safety integrity level of safety 
critical applications. 

A further advantage of the invention is that it discloses 
an efficient way to test CPU instructions and detect 
10 faults, related to safety control of real world cibjects 
where the safety application is defined in a high-level 
control language such as I£C 61131-3. 

& £urtber advantagsouB feature of the invention Is that 
15 it provides for detection of a fault in a CPU which fault 
ia made evident at execution of a certain CPU 
instruction. 

BRZBF DBSCRZPTXON OF VRB ORAHINQS 

20 The present invention will be described in more detail in 
connection with the enclosed schexnatic drawings. 

* 

Figure 1 shows a singplif ied diagram of the test 
application (in a high* level language such as XBC 61131- 
25 3 ) , the test application is compiled into CPU 
instructions in assenOaler. 

Figure 2 shows an overview of a method based on the 
invention* 

Figure 3 is a echematic overview of a syatem based on the 
30 invention. 



12t59 




iTENT 46 21 lBi38& PftT.UERK 



FQRS 




(nk. t Patent- och reg.verket 



7 



2002 -10- 1 5 



DSTAZLED DBSCRIPTXaH OF THE XMVSNTZOtV 

■ 

Figure 1 shows a central ixnit 6 of an iz&dus trial 
controller 6 congprising a CFD 8, 22. & CFU 22 intended 
£or sa£ety control o£ real world objects 24 is typically 
5 a CFU intended for general industrial use. Such a CPU is 
eonv^laed in a central unit 6 of an indastrial 
controller, An exaxis»le of suoli a CPU la the MPC86x CPU 
from Motorola Inc • Such a CPU has an instruction set o£ 
approximately 230 main instructions, A typical 
10 application program relating to safe^ control of real 

world objects utilise a 1/3 of the main instructions. The 
inventors have found that an efficient on<-line fault 
detection of the CHI is to execute a test application 
containing only those assexnbler instructions which 
IS previously were derived from a test application defined 
in a high-level control language such as ZEC 61131. 

Figure 1 shows an overview of the invention. A test 
application 1 conqprises all relevant high-level language 

20 constructs for safety control of real world objects 24. 
Xn a preferred entoodiment the high-level test application 
is defined according to XBC eiiai-^S. «he language version 
may be any of those as defined in ZEC 61131-3 # such as 
structured text« ladder or function block diagram. Ihe 

25 test application 1 is cosopiled 2 to a test application in 
ass^iibler code 3. The test application, which hae been 



which are a subset of the total available main 
instructions 4 for the CPU. Bence, the majority of the 
30 main CPU instructions S are not used in the test 

application 3, which results in that the test application 
consume less resources during execution compared to a 
test including all available CPU instructions. In an 
odbodiment of the invention test applioation coniprise the 



c 



iled into aasextibler code 3 conqprises instructions 
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asseinbler instructions corresponding of an application 

■ 

program for on-line safety coatarol. Further figure 1 
shovrs that the test application in assembler code is 
down- loaded 7 to at least one central unit 6 of the 
industrial controller, A central unit 6 may comprise a 
plurality of modules and/ or boards, such as circuit 
boards. A typical central unit 6 comprises a back-plane 
and communication means for communicating with real world 
objects. For redundancy reasons the central unit may 
coBnprise a plurality of certain type of circuit boards 
and/or modules* An example of such redundancy is 
redundant main CPU boards. The test application 3 is 
executed by the CPU 8, 22 intended for safety control of 
real world objects 24. A validation module 11 is used for 
a test validation function of the result 10 of an 
execution of the test application. The niodule 11 receives 
output values 10 from the CPU executing the test 
application 3 and compare the results with predefined 
results. The module 11 may also sex»a input values 9 to 
the test application executing in the CPU. A 
synchronization 12 between the CPU 8 and the module- 11 

c 

may be used in order to flag for the test validation 
function when an output value is available. In one 
embodiment the validation module 11 coinprise a Dual Port 
Memory which is used for the updates of output from the 
test application 3 and allows the validation f\mction of 
the module 11 to access the output values . The output 
values may contain a sequence nuinber which is used by the 
validation function to establish which test parameters . 
30 the test application has answered on» 

It should- be appreciated that the inv^jtioxi increase the 
reliability of the on-line safety control considerably 
compared with what is revealed in prior art. That is due 



20 



25 



12SS9 tm Bp^^ 4& 21 181386 ■» FW-UERK-FBRS. NR.475 

bik. t Patent- och ie9.v6iket 
^ .• 2002 '10- 1 5 

to Uiat the test application is axaeuted even during on- 
line safety control and that it in its conqpiled £o«m 
conprise all the individual assMdslez: instructions ot the 
application program. During a stable process and normal 
S control oC real world Oh^ects certain asssnbler 

• ■ 

instructitms are not executed. The detection ot an 
abnormal or dangerous process situation such as the 
detection of explosive or toxio gas may taHei place weeks 
or months after the initial doMn-load of the application 
10 program. After the detection of an abnomal or dangerous 
process situation the application program for safety 
control of real world Objects may eicecute routines and 
certain assenibler instructions lAkieh aria not executed 
during a stable proeeea and norsual control of real world 
15 objects. Hhm invention insures that also those certain 
436eiiibler instructions are suba*ect to execution but by 
the test application in order to detect errors in the 
CPU. 

20 Figure 2 shows an overview of a method based on the 

invention* Zt is a method to detect a fault in a CWU of 
an industrial controller during on-line safety control of 
real world objects. Figure 3 shows that the method 
comprises the step of compiling 16 an application program 

25 defined a high level language intended for safety control 
into assembler code. The method compriBes the step of 
coaqpiling 17 the test iqpplication 1 into assembler 
instructions 3, where the test application was previously 
defined in the same high level language as the 

30 application program, ha an alternative term assenibler 
code may be used instead o£ assenbler instructions. The 
assembler instructions of the conqpiled teat application 
is a subset of the total number of assenibler instructions 
available for the CFU defining a test application where 



15/10/02 




ITEMT 46 21 1S1386 PftT.UERK.FQRS. . NR..475 M3 

Ink, t paw*- och reg.vertei. 

m 

" 2002 mO"U 

■ 

the test application covers at loast all lax&guaga 
constructs used in the application program. 

Figure 2 further shows a downloading step 17 where the 
S application programi the test epplication and a pre- 
defined result of the test application is downloaded to 
the cmtral unit 6 of an industrial controller. Xn a 
preferred enibodiment the down-load 7 of the test 
application and the application program is made in 
10 sequence as a consequence of an update or change in the 
application program. It is preferred that the software 
routinee managing the down-load of the application 
program automatically down-loads the test application. 
However, it is also possible to Mcecute the down- loading 
15 step in such way that the test application as well as the 
predefined result is down-loaded at an other time than 

4 

the a^lieation program. The method comprise the £uriAer 
at^. of executing 18 repeatedly the asseoOaler test 
e^lieation in the industrial controller. Xn one 
20 embodiment o£ the invention the test application is 

executed eyelioally. It is preferred that the cycle time 
is determined from a given process safety time value 
during normal on-line safety operation* *be execution of 
the test application 3 is made during on-line control of 

25 real-world objects 24# which iinplies that the application 
program is also executing in the CPU. In one eznbodiment 
it is the congcilete test application which is executed 
before the execution cycle is repeated • In a preferred 
enibodiment the te^t application is divided into a 

30 plurality of functional parts where each of the 

functional parts are executed before the execution cycle 
is repeated* In a preferred enhodimant each of the 
functional parts have corresponding pre-defined result. 
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Figure 2 also shows th« step of cowparing 19 the result 
10 of the test application with the predefinea result or 
one of the predefined results. The eonqpartog step is in a 
preferred eiribodiinent mainly performed ty a validation 
nodule 11. Figure 2 shows the further st^ of detecting 
20 a fault in the CPU 8, 22. » <ae enibodifflBnt the 
detection is made such that an operator is notified, for 

4 

instance, toy moans of an alarm system, -rtie detecting may 
cowprise that the aaseoSbler instxttction aad/or test 
function is stored in a log or similar means for analysis 
purposes. A further stqp of aborting 21 the execution of 
the application program prohibits the execution of the 
assembler instruction which otherwise would cause the 
^pplioaticnx prograun to fail* 

i I 

The previous mentioned a taps are mentioned in an order, 
whidh is an exanqple of the order the st^s can be 
performed in. 

20 Figure 3 shows another enibodimMit of the invention «Aiich 
is as a system, such as an industrial control system 25. 
eonsirising an industrial controller with a central unit 

21 equipped with a CWJ 22 « intended for safety control of 
real world Ejects 24. an Z/0 system 23 Where the CPO 8. 

22 is subject to fault detection according to the above 
described method. 



15 



25 



Bxan^les of real world objects subject to safety control 
are actuators, valves, motors i drive systems and fans. 
30 Further exaa»lm» are more con^Iex real world objects such 
as gas/smo1«e/fire detection systems, drilling equipment, 
pipes and pipelines, distillation coluiansi oonpressors, 
conveyor systems, boilers and turbines. An example of a 
more con^lex real world ebjeot 24 is shown in figure 3. 
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1. A anethod to detect a fault in a CFD of an industrial 
controller during on-line safety control of real world 
5 objects coinprising the steps of 

- compiling an application program into assenibler 
instructions, which application program was previously 
defined in a high level language intended for safety 
control/* 

10 characterised by that the method comprising the steps of 

- con\piling a test application into assenibler 
instructions where the assembler instructions is a subset 
of the total number of assembler instructions available 
for the CPU, which test application was previously 

15 defined in said high level language intended for safety 
control and the test application covers at least all 
language constructs used in the application program, 

- downloading the application program and the test 
application to a central unit of an industrial 

20 controller^ 

- executing repeatedly the test application in the 
industrial controller/ 

- conparing repeatedly by means of a test module a result 
from the test application with the pre-defined result in 

25 the test module, 

- detecting a fault in the CPU as the result from the 
test application does not equal the pre-defined result 

I stored in the test module and the unexpected result o£ 

« 

the test application is due to the execution of an 
30 assexnbler instruction of the test application, 
c. - aborting the execution of the application program 

wherein the application program is prohibited from 
executing the assenbler instruction which otherwise would 
cause the application program to fail . 

e 

.35 

c 

I 2. A method according to* claim' 1 wher^ the asseniBler 

I version o£ the test application coziprise assembler code 

derived from all language constructs in the high-level' 
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language available for sa£ety control of real. world 
ob;]ects. 



3. A method according to claim 1 or claim 2 where the 
high level language intended for safety control is based 
on ZBC 61131-3. 

4» A method according to claim 3/ characterised in that 
the step of defining a test application comprise an 
analyses of the application in order to determine sisbset 
and software libraries used in the said application eode< 

5. A method according to claim 4^ characterized in that 
the step of defining a test application is made 
automatically without any additional command from an 



6. A method according to claim 5, characterized in that 
the step of executing the test applioation repeatedly is 
performed by a cyclic execution of the test application 

« 

where the cycle time is determined from a given process 
safety time value . 



7. A mechod according to claim 6, characterized in that 
the said test application before an execution receives a 
set of input values and the input values are generated by 
means of the test zaodule, 

• m 

m 
m 

8. K method according to claim 7, bbEiraoterit;ed in that 
the dovnx- loading step of application program and test 
application conprise the additional step of down- loading 



10. A computer program product, for use in an industrial 
control systemj containing software code means loadable 
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into the central i«vit o£ an Indus trial oontreller 
intended for safety control of real world bbjeots, eaid 
cosputer program product ebaraotttrlfteA In thab it 
comprises iMans to make the industrial coitroller; 

5 - axQCute r^eatedly tlie tast application in the 
industrial controller, 

- conpare r^aatedly by means of a test module a result 
from the test application with the pre-defined result in 

the test module I 
10 - detect a fault in the CPU as the result from the test 
application does not equal the pre--def ined result stored 
in the test module and the unexpected result of the test 
application is due to the execution of an assembler 

instruction of the test application, 
15 - abort the execution of the application program wherein 

the application program is prohibited from executing tha 
assenbler instruction which otherwisa would cause the 
application program to fail, all steps according to the 
method in claim 1. 

20 

11. An industrial control system, comprisixig an 
industrial controller with a central unit equipped with a 
cm intended for safety control of real world objects, an 
I/O system characterised in that the CKJ is subject to 
25 fault detection according to the method in claixn 1. 



• • • 
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» • 
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ABSTRACT 

« 

«be invention, deal* witH iwproved reliability in safety 
critical control of real world objecte. 8xaii«»le« of real 
world objects SMbject to safety control are 
gas/amoke/fire detection aysteins, drilling equipment, 
pipes and pipelines, distillation columns, compressors, 
conveyor systems , boilers and turbines . A test 
application includes all relevant high-level language 
constructs and is repeatedly executed as assembler code 
in an industrial controller, wbicb CPU is subject to 
fault detection during on-line safety control. 
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Fig.2 
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Fig- 3 
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